The documentation hints that it is possible to use the auth token to change user_metadata directly from the client, but I can’t figure out how after reading reading through all the documentation I can find.

I am using Lock to login/register, but want to have a page for the user to change email, password, avatar and potentially other fields. I can get the user profile using userinfo (and also from Lock).

I’m assuming that you have a SPA and that you’re using Lock embedded in the client application itself. The operations you’re trying to perform can be accomplished through calls to the Management API, but depending on the operations in question the caller must be a confidential client (aka able to keep a secret in order to perform client credentials grant and a SPA does not qualify).

Although as you mentioned it is possible for a browser-based application to directly obtain a token usable in Management API calls to update the user metadata of the single user to which the token is associated some of the other operation you want to perform require a confidential client.

The recommendation for a SPA would be to have a middleman (HTTP API controlled by you) that would broker the calls from the SPA to the Management API. It’s highly likely that a SPA is already supported by an HTTP API so it would be a matter of exposing certain user profile management endpoints that would require an access token and would then forward calls to the Management API. In summary, your API would ensure that who’s calling DELETE /user in your API has a valid API access token associated with User X and would translate that call to a Management API call that would delete User X (the management API call would be authorized by a client credentials access token obtained by your API itself.